Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Isogeny-based Group Signatures and Accountable Ring Signatures in QROM

Kai-Min Chung, Yao-Ching Hsieh, Mi-Ying Huang, Yu-Hsuan Huang, Tanja Lange, Bo-Yin Yang

Abstract

We present the first provably secure isogeny-based group signature (GS) and accountable ring signature (ARS) in the quantum random oracle model (QROM). We do so via introducing and constructing an intermediate primitive called the openable sigma protocol and demonstrating that any such protocol gives rise to a secure GS and ARS. Furthermore, QROM security is guaranteed if an additional perfect unique-response property (which is achieved via our tailored construction) is satisfied. Previous works by Beullens et al. (Eurocrypt 2022, Asiacrypt 2020) proposed isogeny-based GS and ARS with better efficiency but were only analyzed in the classical random oracle model (CROM). It is well-known that CROM security does not generally translate to QROM security; with the growing relevance of isogeny-based constructions in post-quantum cryptography, the current state of the art is unsatisfactory. Moreover, the aforementioned existing isogeny-based signatures were recently affected by the Fiat-Shamir with aborts (FSwA) flaw discovered by Barbosa et al. and Devevey et al. (CRYPTO 2023), leaving the provable security of isogeny-based signatures open to question once again. Our constructions are not only immune to the FSwA flaw but also provide stronger QROM security. As current QROM-secure ARS and GS schemes are mostly lattice-based, we offer a robust post-quantum alternative should lattice assumptions weaken.

Isogeny-based Group Signatures and Accountable Ring Signatures in QROM

Abstract

We present the first provably secure isogeny-based group signature (GS) and accountable ring signature (ARS) in the quantum random oracle model (QROM). We do so via introducing and constructing an intermediate primitive called the openable sigma protocol and demonstrating that any such protocol gives rise to a secure GS and ARS. Furthermore, QROM security is guaranteed if an additional perfect unique-response property (which is achieved via our tailored construction) is satisfied. Previous works by Beullens et al. (Eurocrypt 2022, Asiacrypt 2020) proposed isogeny-based GS and ARS with better efficiency but were only analyzed in the classical random oracle model (CROM). It is well-known that CROM security does not generally translate to QROM security; with the growing relevance of isogeny-based constructions in post-quantum cryptography, the current state of the art is unsatisfactory. Moreover, the aforementioned existing isogeny-based signatures were recently affected by the Fiat-Shamir with aborts (FSwA) flaw discovered by Barbosa et al. and Devevey et al. (CRYPTO 2023), leaving the provable security of isogeny-based signatures open to question once again. Our constructions are not only immune to the FSwA flaw but also provide stronger QROM security. As current QROM-secure ARS and GS schemes are mostly lattice-based, we offer a robust post-quantum alternative should lattice assumptions weaken.

Paper Structure

This paper contains 44 sections, 20 theorems, 52 equations, 2 figures, 9 algorithms.

Table of Contents

  1. Introduction
  2. Our results
  3. Related Work
  4. Technical overview
  5. Why is it hard to obtain QROM-security?
  6. A Technical Trailer
  7. Preliminary
  8. Conventions on efficiency
  9. Isogeny and class group action
  10. Group action DDH
  11. Sigma protocol
  12. The forking lemma
  13. Group signature
  14. Accountable ring signature
  15. Openable sigma protocol
  16. ...and 29 more sections

Key Result

theorem 1

(Informal) Let $\Sigma$ be a secure openable sigma protocol. Then ${\cal ARS}_{\Sigma}^t$ is a classically secure ARS. Furthermore, if $\Sigma$ is perfect unique-response, then ${\cal ARS}_\Sigma^t$ is QROM-secure.

Figures (2)

  • Figure 1: The oracles ${\bf Prog}$ and ${\bf Trans}$
  • Figure 2: An aborting Sigma protocol $\Sigma$ that may leak $\mathsf{sk}$, its non-abort transcripts $\Sigma|_{{\sf resp}=\bot}$ that does not leak $\mathsf{sk}$ (formally, simulatable by $\mathbf{Sim}_\Sigma$), and its FSwA signatures ${\sf FSwA}[\Sigma]$ that can be simulated by $\mathbf{Sim}$.

Theorems & Definitions (58)

  • theorem 1
  • definition 1: Group Action Inverse Problem (GAIP)
  • definition 2: Decisional CSIDH (D-CSIDH) / DDHAP
  • definition 3: Parallelized-DDHAP (P-DDHAP)
  • definition 4
  • definition 5
  • remark 1
  • definition 6
  • definition 7: High min-entropy
  • definition 8: Unique-response property
  • ...and 48 more